CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Crypto-Mining Attack Targets Web Servers Globally

A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

Dubbed RubyMiner, the threat was discovered last week, when it started launching massive attacks on web servers in the United States, Germany, United Kingdom, Norway, and Sweden. Within a single day, the attackers behind this malware attempted to compromise nearly one third of networks globally, Check Point revealed last week.

The purpose of the attack, which is targeting both Windows and Linux servers, is to install a Monero miner by exploiting old vulnerabilities that have been published and patched in 2012 and 2013. The attackers weren’t looking for stealth compromise, but attempted to compromise a large number of vulnerable HTTP web servers as quickly as possible.

The infection campaign is targeting vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails. Despite the large number of compromise attempts observed, only 700 servers worldwide have been successfully enslaved within the first 24 hours of attacks.

The attack on Ruby on Rails attempts to exploit CVE-2013-0156, a remote code execution vulnerability. A base64 encoded payload is delivered inside a POST request, expecting the Ruby interpreter on the server to execute it.

The payload is a bash script designed to add a cronjob that runs every hour and downloads a robots.txt file containing a shell script, designed to fetch and execute the crypto-miner, but not before checking whether it is already active on the host. Not only the mining process, but the entire download and execution operation runs every hour.

“This is possibly to allow the attacker to initiate an immediate kill switch for the miner bot. If the attacker would like to end the process on the infected machines, all that needs to be done is modify the robots.txt file on the compromised webserver to be inactive. Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The deployed malware – on all infected servers – is XMRig, a Monero miner that was used in September 2017 in an attack exploiting a vulnerability in Microsoft IIS 6.0, the webserver in Windows Server 2003 R2.

Advertisement. Scroll to continue reading.

One of the domains used in the newly observed infection campaign is lochjol.com, which was previously used in an attack in 2013. That attack abused the Ruby on Rails vulnerability as well, and also had some features common with the current incident, but the researchers couldn’t determine further connections between the two, especially with their purpose seemingly different.

Related: Monero Miner Sends Cryptocurrency to North Korean University

Related: Monero Miner Infects Hundreds of Windows Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...